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SAP Hana Authentication 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts, the most accurate results and 
fewer false positives. This document provides tips and best practices for setting up SAP Hana 
authentication for compliance scans. 


A few things to consider 


Why should I use authentication? 


With authentication we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in we can do more thorough testing. This will give you better 
visibility into each system's security posture. Is it required? Yes, it’s required for compliance 
scans. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 


For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matnx 


What are the steps? 


First, set up a SAP Hana user account and privileges (on target hosts) for authenticated scanning. 
Then, using Qualys Policy Compliance, complete these steps: 1) Add a SAP Hana authentication 
record. 2) Launch a compliance scan. 3) Run the Authentication Report to find out if 
authentication passed or failed for each scanned host. 


SAP Hana Credentials 


We've provided a set of scripts below to help you set up an account and privileges which must 
exist prior to running scans. These scripts require a super-user account. Please run the scripts 
provided, in the order shown. The role and scan account need to be created in the SYSTEM 
database to run successfully. 


1) Create a Role for the Scan Account 


This script creates a role for the user account to be used for scanning. It also grants privileges to 
the role needed for successful authentication and compliance scanning. We recommend 
creating a role called QUALYS_ROLE. 


CREATE ROLE QUALYS ROLE; 
GRANT SELECT on SYS.USERS to QUALYS ROLE; 
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GRANT SELECT on SYS.M DATABASE to QUALYS ROLE; 

GRANT SELECT on SYS.M DATABASES to QUALYS ROLE; 

GRANT SELECT on SYS.M INIFILE CONTENTS to QUALYS ROLE; 

GRANT SELECT on SYS.EFFECTIVE ROLE GRANTEES to QUALYS ROLE; 

GRANT SELECT on SYS.EFFECTIVE PRIVILEGE GRANTEES to QUALYS ROLE; 
GRANT SELECT on SYS.GRANTED PRIVILEGES to QUALYS ROLE 

GRANT CATALOG READ TO QUALYS ROLE; 

GRANT SELECT on SYS SECURITY. SYS PASSWORD BLACKLIST to QUALYS ROLE; 
GRANT SELECT on SYS.AUDIT POLICIES to QUALYS ROLE; 


2) Create a User Account 


This script creates a restricted user account and alter the user with ENABLE CLIENT CONNECT. 
Please provide a password before running the script. The script also grants the role created in 
Step 1 to the account. Tip - We recommend creating an account called QUALYS_SCAN. 


REATE RESTRICTED USER QUALYS SCAN PASSWORD <password>; 
ITER USER QUALYS SCAN ENABLE CLIENT CONNECT; 

ITER USER QUALYS SCAN DISABLE PASSWORD LIFETIME; 
RANT QUALYS ROLE to QUALYS SCAN; 
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3) Verify Privileges on the Scan Account 


3a) Verify that you can log into the SAP Hana Database as QUALYS_SCAN and are able to 
successfully run the query below. If prompted for a password change, please update the 
password on the first login. 


select count(1) from SYS.USERS; 


3b) Verify that the qualys_scan account has all the privileges listed in the table below in order to 
run a successful compliance scan for the system database. Log into the instance using the 
Admin account, then run the following query to verify the privilege assigned to the 
‘QUALYS_SCAN’ account. 


select GRANTEE, PRIVILEGE, OBJECT NAME from EFFECTIVE PRIVILEGES where 
USER NAME = 'QUALYS SCAN' and GRANTEE = 'QUALYS SCAN'; 


Expected output: 


Grantee Privilege Object Name 

OUAIYEES CAN CATALOG READ 

QUALYS_SCAN SELECT M_DATABASE 

@UAIYEES CAN SELECT M_INIFILE_CONTENTS 
QUALYS_SCAN SELECT EFFECTIVE _PRIVILEGE_ GRANTEES 
OUAINEES CAN SELECT USERS 

QUALYS_SCAN SELECT _SYS_PASSWORD_BLACKLIST 
QUALYS_SCAN SELECT M_DATABASES 
QUALYS_SCAN SELECT EFFECTIVE_ROLE_GRANTEES 
QUALYS_SCAN SELECT PNUD MRORGEIES 
QUALYS_SCAN SELECT GRANTED_PRIVILEGES 


Did you get different results? Contact your SAP Hana DBA to ensure that privileges are set up 
correctly. 
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SAP Hana Authentication Records 


You'll create SAP HANA authentication records in Qualys to associate credentials to hosts (IPs). 

You'll need to supply a user name and password (or use password vault), the database you want 
to authenticate to and the port the database is on. This record type is only available in accounts 
with PC or SCA, and is only supported for compliance scans. 


How do | get started? 


Go to Scans > Authentication, and then go to 
New > Databases > SAP HANA. 


Can I access a password in a vault? 


Yes. We support integration with multiple third 
party password vaults. Go to Scans > 
Authentication > New > Authentication Vaults 
and tell us about your vault system. 


In the SAP HANA record, choose Authentication 
Type: Vault based on the Login Credentials tab 
and select your vault type and vault record. At 
scan time, we'll authenticate to hosts using the 
account name in your record and the password 
we find in your vault. 
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New SAP HANA Record Launch Help 


Record Title Authentication 
in your account. 
Target Configuration 


Authentication Type: Vault based 
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Unix Configuration Username* Enter username 
IPs Vault Type: berArk PIM Suite { 
CyberArk PIM Suite i 
Comments Vault Record*: 1 
CyberArk AIM 
Vault Folder* Thycotic Secret Server 
BeyondTrust PBPS 
Vault File*: HashiCorp 
Azure Key 
Arcon PAM 


Provide login credentials for the SAP Hana database. You also have the option to get the login password from a vault available 


What database information is required? 


On the Target Configuration tab, tell us the database name to authenticate to and the port the 
database is running on. 


New SAP HANA Record Launch Help 


Record Title Target Configuration 


Login Credentials Tell us the user account to use for authentication, the database instance you want to authenticate to, and the port where the 
database is installed 


Target Configuration > Database Name*: 


Unix Configuration Example: adr 


IPs Port* 
Ex ale. e. 
Comments 
SSL Verify. Select this option to verify that the server's SSL certificate is valid and trusted 
Hosts: Provide a list of FQDNs for all host IP addresses on which a custom SSL certificate 


signed by a trusted root CA is installed. 


m 
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Tell me about SSL verification 


By default, the scanner will verify the SSL certificate used by the SAP HANA device to make sure 
the certificate is valid and trusted. You may want to clear this option to skip SSL verification if 
the device is not configured with a certificate, the certificate was not issued by a well-known 
certificate authority (CA) or the certificate is self-signed. 


What do I enter in the Hosts field? 
Enter a list of FQDNs for the hosts that correspond to all host IP addresses on which a custom 


SSL certificate signed by a trusted root CA is installed. Multiple hosts are comma separated. 


Unix Configuration 


On the Unix Configuration tab, enter the full path to the SAP HANA configuration files on your 
Unix hosts. These files are accessed to run certain checks. Ensure that files are in the same 
location for all the hosts that you want scan. 


New SAP HANA Record Launch Help 


Record iride Unix Configuration 

Login Credentials Enter the full path to the SAP HANA configuration file on your Unix hosts. The file must be in the same location for all hosts (IPs) 
in this record. If different, create another record. 

Target Configuration 


Configuration File: 


Unix Configuration > example: /etc/saphana.conf 


IPs 


Comments 
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Which IPs should | add to my record? 


Select the IP addresses for the SAP HANA databases that the scanning engine should log into 
using the specified credentials. 


New SAP HANA Record Launch Help 
Record Title > IPs 
Login Credentials > Add IPs to your SAP HANA record. 
Target Configuration > Enter or Select IPs/Ranges: Select IPs/Ranges | Select Asset Group | Remove | Clear 
5 3 Example: 192.168.0.87-192.168.0.92, 192.168.0.200 
Unix Configuration > 
IPs > 
Comments > 


a 
(m) Display each IP/Range on new line 


Last updated: May 27, 2022 
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